How get expirations for all domains and sub-domains to match

QUESTION 1:
I’m managing 12 domains and 6 sub-domains
Over the course of acquiring them and keeping up with the evolution of LetsEncrypt, many of them expire at different times.

I’d like to consolidate the process so that they all expire and can be renewed at the same time.
They’re all being managed under one shared hosting environment, using acme.sh
I was expecting acme.sh --renew-all to do the trick but as best as I can tell it did not.
Perhaps acme.sh --renew-all --force? Haven’t tried it yet

Before taking that step (to avoid using too many --force commands on a given day while testing),
my attempts so far revealed some additional issues, so…

QUESTION 2:
One of the sub-domains – an older one that’s been removed and should no longer be listed under acme.sh --renew-all nonetheless shows up with a message:
‘cxotalk.trillionpictures.com:Verify error:DNS problem: NXDOMAIN looking up A for cxotalk.trillionpictures.com - check that a DNS record exists for this domain
[Thu Mar 26 11:59:10 PDT 2020] Please check log file for more details: ~/.acme.sh/acme.sh.log’

That sub-domain was “removed” using acme.sh --remove -d cxotalk.trillionpictures.com, and there is no folder for it it in the .acme.sh/ directory.

What else needs to happen to get rid of that domain?

TECH DETAILS:
Domains: trillionpictures.com, totallypostal.net, born2.run, feathercollectionproject.com, fixitamerica.org, gregoryparkinson.com, keeperofthedream.net, opq-design.com, radical-4.com, radical4.media, radical4media.com, samself.com, savingbarbarasizemore.com
Sub-Domains: db.trillionpictures.com, longplay.trillionpictures.com, munich72.trillionpictures.com, runwithme.trillionpictures.com, sevendeadlysins.trillionpictures.com

Hosting Provider: InMotionHosting.com
I can login to a root shell: No (shared hosting)
Control Panel: cPanel v86.0.16 (with no accommodation for LetsEncrypt. Using acme.sh instead)
Operating system: CentOS6 2.6.32-754.el6.x86_64

Answering my own question here (Question 1 only)
I was able to get all the expiration dates to line up.
The trick was:
1 - Running acme.sh --renew-all --force and then
2 - Going back into cPanel and update any certificates whose expiration dates were not lining up.

Re Question 2: haven’t figured that one out yet.

you should use cron and run acme.sh --cron once a day, not trying to sync all renewals.

each certificate will be renewed at the correct time, each by themselves.

Simple as that? Just acme.sh --cron with no other specs? That automatically sets up a cron job for once a day?

No, that is the command that gets run each day.

To install the cronjob use acme.sh --install-cronjob

Thanks for the clarification.

Although I just checked, and it looks as though running the first command once, acme.sh --cron, actually did set up a cron job: "~/.acme.sh"/acme.sh --cron --home "~/.acme.sh" > /dev/null to be run every 50 minutes.

I changed it to once per day, but should I remove the additional commands to reduce it to your acme.sh --cron?

no, the other stuff is there because cron and your interactive shell are a lot different when it comes to paths and aliases.

it probably was there since you installed acme.sh, the cron line.

So we’re all set re question #1? Thanks for your help!

Re question #2 – any idea about that old sub-domain that shows up as an error?

what's the output of ls -la "${LE_WORKING_DIR}" ?

also, echo "${LE_WORKING_DIR}" can be useful

ls -la "${LE_WORKING_DIR}" | grep '.'

total 180052
drwx------ 15 [uid] [uid] 4096 Mar 26 12:01 ./
drwx--x--x 43 [uid] [uid] 4096 Mar 26 12:00 ../
-rw-r--r-- 1 [uid] [uid] 381 Mar 26 12:48 account.conf
-rwxr-xr-x 1 [uid] [uid] 196526 Mar 26 10:55 acme.sh*
-rw-r--r-- 1 [uid] [uid] 94 May 22 2019 acme.sh.env
-rw-r--r-- 1 [uid] [uid] 184082558 Mar 26 12:49 acme.sh.log
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 born2.run/
drwxr-xr-x 4 [uid] [uid] 4096 May 22 2019 ca/
drwxr-xr-x 2 [uid] [uid] 4096 Jun 27 2019 db.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 Mar 26 10:55 deploy/
drwxr-xr-x 2 [uid] [uid] 4096 Mar 26 10:55 dnsapi/
-rw-r--r-- 1 [uid] [uid] 597 Mar 26 12:49 http.header
drwxr-xr-x 2 [uid] [uid] 4096 Jun 27 2019 iot.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 longplay.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 munich72.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 Mar 26 10:55 notify/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 runwithme.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 sevendeadlysins.trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 trillionpictures.com/
drwxr-xr-x 2 [uid] [uid] 4096 May 22 2019 www.trillionpictures.com/

echo "${LE_WORKING_DIR}"
/home/[uid]/.acme.sh

is it possible that that subdomain is not on a cert by itself? check with acme.sh --list

Not entirely sure. It does appear in the listing of acme.sh --list in the first listing of the domains & sub-domains, but so do a number of other now-deleted sub-domains.

You need to replace the certificates in which the offending domains appear, then.

You need to replace the certificates in which the offending domains appear, then.

Meaning remove / delete all the certificates, then reissue only those that are still active?

First issue updated certs, install them, check they work; then remove older ones. Only modify those you need to modify, there’s no need to reset your entire confiuration.

I might not be understanding. I did what I think you’re suggesting, all went fine, but when running acme.sh --renew-all the outdated / now-deleted sub-domain still appears and triggers the error message.

Where does --renew-all get its listing of domains & sub-domains? Is that a list that can be fixed?

now you can --remove those you don’t need anymore. By certificate name, not by domain, the directory name, first column in --list

So before, when trying to remove a domain I was using acme.sh --remove -d domain.com
I’m assuming I’m not using the -d switch when removing by ‘certificate name’?

I guess you need to give all domains, not one. (dunno, check the docs: acme.sh with no options)

Well I didn’t see an option other than the -d switch, but I think I figured it out.
Thanks to your note "--remove those [in the] first column in --list’

It took some interpreting of the logic of the --list output. In that output in the 1st row, 1st column was a domain. In that same row, but in the 2nd (or 3rd? hard to interpret the output) column was the listing of all the associated domains, many of which were these old and removed domains, including the one causing the error.

So per your advice I removed ran acme.sh --remove -d offendingdomain, which took out that entire row from the --list output. Down below, in the most recent row of the --list output was an entry that showed the most recent, updated domains, which don’t include all the old, outdated sub-domains.

Assuming I’m understanding all of this correctly, acme.sh --renew-all and acme.sh --cron use this listing when making their attempts update all the certs, correct?

At the moment the --list looks clean and accurate, with no outdated domains, no duplicates. I get the impression all is resolved, thanks to your help.